Forum Discussion
NimbostratusSAML SSO Without a Webtop
NimbostratusI have tried these irules and still unable to get this to work for my environment. When redirected it immediately logs out. I receive a "Authorization failure: Denied request for SAML resource" and "Session deleted due to user logout request." in the log.
when ACCESS_POLICY_COMPLETED {
switch -glob [ACCESS::session data get session.server.landinguri] {
"/mycloudapp*" {
ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res? id=/Common/MYCLOUDAPP"
}
"/proofpoint*" {
ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res? id=/Common/PROOFPOINT"
}
"/businessolver*" {
ACCESS::respond 302 Location "https://idp.mycompany.com/saml/idp/res? id=/Common/BUSINESSOLVER"
}
}
}
and
when HTTP_REQUEST {
if the URI isn't a redirect to an SP resource, and it's an active session - redirect to the SAML SP resource
if { not ( [HTTP::uri] starts_with "/saml/idp/res?id=" ) and ( [HTTP::cookie exists MRHSession] ) and ( [ACCESS::session exists -state_allow -sid [HTTP::cookie value MRHSession]] ) } {
switch [string tolower [HTTP::host]] {
"idp.domain.com" {
HTTP::redirect "/saml/idp/res?id=/Common/idp.domain.com-resource"
}
}
}
}
when ACCESS_POLICY_COMPLETED { redirect to the SAML SP resource switch -glob [string tolower [ACCESS::session data get session.server.network.name]] { "idp.domain.com" { ACCESS::respond 302 Location "/saml/idp/res?id=/Common/idp.domain.com-resource" } } }
NimbostratusBM0001
 
A couple of things. Break out the troubleshooting, so leave off the when HTTP_REQUEST until you get the when ACCESS_POLICY_COMPLETED bit working or vice versa.
 
Second take a look at https://devcentral.f5.com/s/articles/apm-cookbook-autolaunch-saml-resources-21377
 
hopefully that will help. I don't think you need to specify the https://idp.mycompany.com in your 302 location statement. Also I think you are missing the -glob statement after your switch under your when HTTP_REQUEST
 
